b"                                             AR 03-056\n\n\n\n\n               Office of Inspector General\n                Independent Evaluation\n\n\n\n\nReview of Federal Trade Commission Implementation of the\n      Federal Information Security Management Act\n                   For Fiscal Year 2003\n\x0cINTRODUCTION\n\nWorking with the Federal Trade Commission\xe2\x80\x99s (FTC) Office of Inspector General (OIG), Richard S.\nCarson & Associates, Inc. (the Assessment Team) completed this Independent Evaluation Report along\nwith the IG\xe2\x80\x99s portion of the Executive Summary that management submitted to the Office of Management\nand Budget (OMB) on September 29, 2003. The Independent Evaluation Report provides specific\nfindings and, when applicable, recommendations for resolution.\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public Law 107-\n347), which includes Title III, the Federal Information Security Management Act (FISMA) of 2002. The\nFISMA permanently reauthorized the framework laid out in the Government Information Security\nReform Act (GISRA)of 2000 which expired in November 2002. The FISMA outlines the information\nsecurity management requirements for agencies, including the requirement for annual review and\nindependent assessment by agency inspectors general. In addition, FISMA includes new provisions\naimed at further strengthening the security of the Federal government\xe2\x80\x99s information and information\nsystems, such as the development of minimum standards for agency systems. The annual assessments\nprovide agencies with the information needed to determine the effectiveness of overall security programs\nand to develop strategies and best practices for improving information security.\n\nThe independent evaluation comprises four elements \xe2\x80\x94 evaluation of the implementation of the FTC\ninformation security program, evaluation of FTC progress towards completing weaknesses addressed\nwithin the 2002 Plan of Action and Milestones (POA&Ms), evaluation of the FTC system self-\nassessments, and verification and testing of information security controls for four representative\ninformation systems. The results of the independent evaluation are presented in a separate Independent\nEvaluation Report that presents a number of recommendations to address the problems identified during\nthe evaluation. The major findings from the report are summarized in the Results In Brief.\n\nOBJECTIVES\n\nThe objectives of the independent evaluation of the FTC information security program were to:\n\n    1. Assess compliance with FISMA and related information security policies, procedures, standards\n       and guidelines; and\n    2. Test the effectiveness of information security policies, procedures and practices on a\n       representative subset of the agency\xe2\x80\x99s information systems.\n\nRESULTS IN BRIEF\n\nThe Federal Information Security Management Act defines information security as \xe2\x80\x9c\xe2\x80\xa6 protecting\ninformation and information systems from unauthorized access, use, disclosure, disruption, modification,\nor destruction in order to provide \xe2\x80\x93 (A) integrity, which means guarding against improper information\nmodification or destruction, and includes ensuring information nonrepudiation and authenticity; (B)\nconfidentiality, which means preserving authorized restrictions on access and disclosure, including means\nfor protecting personal privacy and proprietary information; and (C) availability, which means ensuring\ntimely and reliable access to and use of information.\xe2\x80\x9d\n\nThe OIG found that FTC\xe2\x80\x99s Office of Information and Technology Management (ITM) continues to make\nprogress in developing a mature information security program, and has implemented or addressed OIG-\nidentified security vulnerabilities discussed in the FY 2002 Independent Evaluation report. For example\nthe FTC:\n\n\n\n\n                                                                                                      -1-\n\x0c    \xe2\x80\xa2   Developed security plans for its general support system and major applications.\n    \xe2\x80\xa2   Addressed nine of the 16 issues identified in the POA&M list and expects to complete the\n        remaining ones by the March 31, 2004.\n    \xe2\x80\xa2   Developed policies and procedures that addressed various security issues, such as password\n        management, incident response reporting, remote access, and certification and accreditation.\n    \xe2\x80\xa2   Developed a Disaster Recovery Plan (DRP).\n    \xe2\x80\xa2   Developed a new IT security awareness program.\n\nAs a result of these actions, the OIG believes that the FTC is more secure today (from an information\nsecurity perspective) than it was just one year ago.\n\nIn a memorandum to agencies and inspectors general, dated August 6, 2003, the Office of Management\nand Budget (OMB) provided guidance on FISMA implementation and reporting. As part of this\nguidance, OMB requires agencies to identify and report on \xe2\x80\x9csignificant deficiencies\xe2\x80\x9d in their information\nsecurity programs. OMB interprets a significant deficiency to include a \xe2\x80\x9cfailure to meet FISMA\xe2\x80\x99s\ndelineated requirements for an agency security program including the failure to substantially comply with\nrelated policies, guidance and standards.\xe2\x80\x9d In the IT security program context, examples of significant\ndeficiencies include the failure to (i) perform adequate annual program and system reviews, (ii) maintain\ncomprehensive POA&Ms, and (iii) adequately train agency employees and contractors. In the context of\nindividual systems, OMB A-130 details three specific examples of significant deficiencies: (i) the failure\nto assign responsibility for security of the system or application, (ii) the lack of a system security plan,\nand (iii) the absence of authorizations to process (certification and accreditation).\n\nNotwithstanding progress made by ITM in the areas identified above, the OIG found two significant\ndeficiencies along with other areas of security concern that need to be addressed. The significant\ndeficiencies are:\n\n    \xe2\x80\xa2   FTC Systems are Not Certified and Accredited. OMB A-130, Appendix III, requires that\n        major applications and general support systems undergo a security certification and accreditation\n        once every three years, or sooner if the system has undergone major modifications. The OIG\n        found that the ITM certified and accredited only one of seven systems. This was an interim\n        certification valid for one year. Further, ITM policy does not require system tests and evaluations\n        before certifying and accrediting its major applications and support systems. Without testing,\n        ITM lacks assurances that modifications made to address security vulnerabilities are working.\n\n    \xe2\x80\xa2   POA&M Tracking does not Meet OMB Requirements. Both OMB and GISRA/FISMA\n        guidance requires agencies to identify vulnerabilities from all audits, studies and evaluations\n        performed on IT systems. This requirement was reiterated in the new FISMA guidance provided\n        to executive departments and agencies by OMB in August 2003. A review of the quarterly\n        POA&Ms submitted to OMB found that weaknesses from the last GISRA evaluation were being\n        tracked by ITM. However, the OIG found no evidence that vulnerabilities from C&A reviews,\n        risk assessments or annual self-assessments were either documented or tracked in the POA&M.\n        By not documenting vulnerabilities in the POA&M, ITM is not in compliance with OMB.\n\nBased on these significant deficiencies and other security concerns (identified in the body of the report),\nthe OIG made a number of recommendations to strengthen FTC\xe2\x80\x99s security program.\n\n\n\n\n                                                                                                         -2-\n\x0c1       Background\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public Law 107-\n347), which includes Title III, the Federal Information Security Management Act (FISMA) of 2002. The\nFISMA permanently reauthorized the framework laid out in the Government Information Security\nReform Act of 2000 (GISRA), which expired in November 2002. The FISMA outlines the information\nsecurity management requirements for agencies, including the requirement for annual review and\nindependent assessment by agency inspectors general. In addition, FISMA includes new provisions\naimed at further strengthening the security of the Federal government\xe2\x80\x99s information and information\nsystems, such as the development of minimum standards for agency systems. The annual assessments\nprovide agencies with the information needed to determine the effectiveness of overall security programs\nand to develop strategies and best practices for improving information security.\n\nThe independent evaluation comprises four elements \xe2\x80\x94 evaluation of the implementation of the FTC\ninformation security program, evaluation of FTC progress towards completing weaknesses addressed\nwithin the 2002 Plan of Action and Milestones (POA&Ms), evaluation of the FTC system self-\nassessments, and verification and testing of information security controls for four representative\ninformation systems.\n\n2       Purpose\n\nThe objectives of the independent evaluation of the FTC information security program were to:\n\n    1. Assess compliance with FISMA and related information security policies, procedures, standards,\n       and guidelines; and\n    2. Test the effectiveness of information security policies, procedures, and practices, of a\n       representative subset of the agency\xe2\x80\x99s information systems.\n\n3       Scope and Methodology\n\nThe scope of this independent evaluation of the FTC information security program included:\n\n    \xe2\x80\xa2   Review of FTC major applications and general support systems\n    \xe2\x80\xa2   POA&M review for completeness and accuracy\n    \xe2\x80\xa2   Security controls testing\n\nThe computer security review did not include controls related to the management of safeguards or\nclassified information or physical security controls. The OIG reviewed the following FTC systems and/or\nsystem components in detail:\n    \xe2\x80\xa2   CND                                           \xe2\x80\xa2   OSCAR\n    \xe2\x80\xa2   Infrastructure (E-mail)                       \xe2\x80\xa2   Infrastructure ( FTC Enterprise Systems)\n\nTo accomplish the review objectives, the OIG conducted interviews with the Chief Information Officer\n(CIO), Deputy CIO, Acting Senior IT Security Officer, other members of the CIO staff, Director of\nAdministrative Services, and FTC program officials. The team reviewed documentation provided by the\nFTC including security plans, risk assessments, the disaster recovery plan, the continuity of operations\nplan, the Occupant Emergency Plan, certification and accreditation reports, and other security related\npolicies. The OIG also conducted an external penetration test, a social engineering test, and an internal\nvulnerability scan.\n\n\n\n\n                                                                                                       -3-\n\x0cAll analyses were performed in accordance with guidance from the following:\n\n      \xe2\x80\xa2   OMB Memorandum M-03-19, Reporting Instructions for the Federal Information Security\n          Management Act and Updated Guidance on Quarterly IT Security Reporting (8/6/03)\n      \xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication 800-26, Self-\n          Assessment Guide for Information Technology Systems, August 2001\n      \xe2\x80\xa2   U.S. General Accounting Office (GAO), Government Auditing Standards, 1994 Revision\n      \xe2\x80\xa2   GAO, Federal Information System Controls Audit Manual, Volume I: Financial Statement\n          Audits, January 1999\n      \xe2\x80\xa2   The FTC/OIG Audit Guidance\n\nThis work was conducted during several site visits to the FTC offices between July 9 and September 5,\n2003.\n\n4         Significant Deficiencies\n\nOMB defines significant deficiencies as \xe2\x80\x9cfailure to meet FISMA\xe2\x80\x99s delineated requirements for an agency\nsecurity program including the failure to substantially comply with related policies, guidance and\nstandards.\xe2\x80\x9d\n\nIn the context of the IT security program, a significant deficiency would, according to OMB, include the\nfailure to perform adequate annual program and system reviews, failure to maintain comprehensive\nPOA&Ms, and failure to adequately train agency employees and contractors.\n\nIn the context of individual systems, OMB A-130 details three specific examples of significant\ndeficiencies: the failure to assign responsibility for security of the system or application, the lack of a\nsystem security plan, and the absence of authorizations to process (certification and accreditation).\nDepending on the level of risk and magnitude of harm to the system other weaknesses may also rise to the\nlevel of significant deficiency.\n\nThe OIG found two significant deficiencies in the FTC agency-wide IT security program. These\ndeficiencies are discussed below.\n\n4.1       Certification and Accreditation (C&A)\n\nOMB A-130, Appendix III, requires that major applications and general support systems undergo a\nsecurity certification and accreditation review every three years or sooner if major modifications are made\nto the system\n\nThe National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for\nSecurity Certification and Accreditation of Federal Information Systems (SP 800-37), currently in draft,\nstates that the security certification package should contain a security plan (based on a risk assessment), a\nsecurity test and evaluation report, and a POA&M list. The accreditation letter itself should contain the\naccreditation decision, supporting rationale, and terms and conditions. Further FISMA 2003 guidance\nstates \xe2\x80\x9cagencies [sic] certification and accreditation processes must conform to NIST guidance.\xe2\x80\x9d\n\nFTC\xe2\x80\x99s C&A policy, dated March 28, 2002, states that the C&A package should contain a risk assessment\nreport, a system security plan, a certifier\xe2\x80\x99s statement and the accreditation decision. The FTC\xe2\x80\x99s C&A\npolicy does not require a security test and evaluation report nor a POA&M list as part of its C&A\npackage.\n\n\n\n\n                                                                                                          -4-\n\x0cTable 4-1 below identifies the major applications (MA) and general support system (GSS), to include\nemail and FTC enterprise systems, and the security-related documentation available for review at the time\nof this evaluation.\n\n                               Table 4-1 \xe2\x80\x93 C&A Security Documentation\n\n\n         System            System          Risk           Security       Security           C&A\n          Name              Type        Assessment          Plan          T&E               Letters\n                                          Report                          Report\n   Documentum               MA              No              Yes            No                 No\n   FMO                      MA             N/A              N/A            N/A                N/A\n   OSCAR                    MA              No              Yes            No                 No\n   MMS                      MA              No              Yes            No                 No\n   CIS                      MA              No              Yes            No                 No\n   Pre-Merger               MA              No              Yes            No                 No\n   CND                      MA             Yes              Yes            No                 Yes\n   Infrastructure           GSS             No              Yes            No                 No\n\n\nRisk Assessment Report - The OIG found that only the CND system had a documented risk assessment.\nHowever, vulnerabilities identified in this report were not listed on the POA&M for monitoring and\nultimate disposition. For all remaining systems, the OIG identified no documented vulnerabilities and/or\nrecommendations resulting from any system reviews.\n\nITM management told the OIG that, due to staffing constraints, it could not prepare security plans and\nperform risk assessments in the same year. Based on prior OIG security recommendations, it laid out a\nplan to prepare security plans in FY 2003 (see below), and perform risk assessments in FY 2004.\n\nSecurity Plan - The agency made significant progress in the development of security plans. Seven\nsystems requiring a plan have one. An eighth system, FMO, belongs to the Department of Interior (DOI),\nwhere responsibility for the development of the security plan lies.\n\nThe FTC is in the process of redefining its major applications and general support systems. In the\nprevious year the FTC identified five general support systems: FTC Network, Web Servers, Firewalls,\nUnix Servers, and Internet/Intranet. These systems have now been rolled up into one general support\nsystem called Infrastructure.\n\nThe OIG reviewed the Infrastructure security plan and found that the security controls did not address the\nE-mail component in sufficient detail. This finding was verified in interviews with program officials,\nwho stated that the infrastructure security plan focused primarily on the network. Not having sufficient\ndetail for individual Infrastructure components may mean that the agency does not have a clear picture of\nthe system\xe2\x80\x99s security posture.\n\nSecurity T& E Report \xe2\x80\x93 While testing and evaluation is not yet a mandatory part of the C&A process\n(per NIST), it is required to be conducted annually on all major systems, pursuant to FISMA {Sec.\n3544(b)(5)}. The OIG found no testing and evaluation material for any major system or component.\nWithout T&E, it is difficult to identify select vulnerabilities and assure that vulnerabilities that were\nknown have been addressed. ITM told the OIG that it recognizes the importance of testing its systems,\nand will incorporate the NIST guidance on T&E into its C&A policy once this guidance is finalized.\n\n\n\n\n                                                                                                            -5-\n\x0cC&A Letters - The OIG found that the CND System was the only system requiring a C&A that had one.\nThis was an interim C&A, e.g., good for one year. ITM officials told the OIG that the C&As were not\naccomplished in FY 2003 because the C&A process requires a risk assessment to be performed on the\nsystems prior to certification. As stated, risk assessments are planned for FY 2004, at which time,\naccording to ITM officials, the remaining systems will be certified and accredited.\n\nRECOMMENDATIONS\n\nOIG recommends that ITM:\n\n      1.   Certify and accredit its seven major systems.\n      2.   Document all risk assessments.\n      3.   Revise the C&A policy to include testing and evaluation.\n      4.   Modify the FTC Enterprise Network security plan to address security for major system\n           components.\n\n4.2        Plan of Action and Milestones (POA&M)\n\nA POA&M, also referred to as a corrective action plan, is a tool that identifies tasks that need to be\naccomplished. It details the resources to accomplish the elements of the plan, milestones in meeting the\ntask, and scheduled completion dates for the milestones. FISMA guidance states POA&Ms \xe2\x80\x9care the\nauthoritative agency management mechanism to prioritize, track, and manage all agency efforts to close\nsecurity performance gaps.\xe2\x80\x9d The POA&M should include all security weaknesses resulting from all\nreviews done by, for, or on behalf of the agency, including General Accounting Office (GAO) audits,\nfinancial system audits, and critical infrastructure vulnerability assessments. POA&Ms are to be\nsubmitted on a quarterly basis to OMB.\n\nA review of the POA&M\xe2\x80\x99s for fiscal years 2002 and 2003 found that only weaknesses from the FY 2002\nGISRA evaluation were identified and were being tracked.\n\nRegarding the prior year vulnerabilities identified by the OIG, and placed on the POA&M, the OIG found\nthat the agency has made some progress in addressing them. The OIG verified that the FTC completed\nnine of the sixteen corrective actions, and most of the remaining recommendations are scheduled for\ncompletion by March 31, 2004. The FTC uses the POA&M as one management tool to track security\nweaknesses. ITM told the OIG that it also uses the change management process meetings (see Section\n5.5) as another tool to identify and address vulnerabilities. As mentioned above, these vulnerabilities are\nnot reported on the POA&M.\n\nWithout a single, comprehensive list of its security vulnerabilities, it is difficult for ITM to have a clear\nunderstanding of its security posture. Further, the current POA&M without such vulnerabilities added is\nnot FISMA compliant.\n\nFor FY 2004, the OIG plans to review POA&M\xe2\x80\x99s quarterly to more closely follow the agency\xe2\x80\x99s progress\nin addressing security vulnerabilities.\n\n\n\n\n                                                                                                           -6-\n\x0cRECOMMENDATIONS\n\nOIG recommends that ITM:\n\n      5. Record vulnerabilities and recommendations from other security studies and include them in the\n         POA&M.\n      6. Rely on the key features of the agency\xe2\x80\x99s security program (C&A testing and evaluation) to\n         identify, record and dispose of all significant vulnerabilities.\n\n5        Other Security Concerns\n\n5.1      Security Policies and Procedures\n\nThe FTC made headway in developing policies and procedures to enhance its IT security program. The\nFTC developed incident response, remote access, as well as certification and accreditation policies. The\nagency also updated its password policy. The FTC revised the Administrative Manual, Section 550,\nChapter 1, to act as an overarching guide for the agency\xe2\x80\x99s overall IT security. However, the OIG\nidentified other areas that do not meet OMB guidance and NIST standards.\n\n5.1.1    The FTC\xe2\x80\x99s Agency-Wide IT Security Program Continues to Evolve\n\nThe FTC made progress in developing policies and procedures to enhance its security. The agency\ndeveloped security requirements that were driven by the Gramm-Leach-Bliley legislation. ITM\ndeveloped policies that address certification and accreditation, incident handling, remote access, and\npasswords. The FTC developed a Disaster Recovery Plan (DRP) for its IT assets. The FTC recently\nrevised the Administrative Manual, Section 550, Chapter 1, that documents the FTC\xe2\x80\x99s IT security\nprogram as well as define its IT security framework and requirements. This document also outlines the\npersonnel roles and responsibilities related to IT security on a high level.\n\nHowever, there are several areas that the program does not address. For example, a patch management\npolicy is not documented, policies for cell phone usage need to be refined, annual self-assessments\nrequired by OMB are not discussed, responsibility for maintaining the system inventory is not assigned,\nand the process on how the FTC determines what systems are major applications and general support\nsystems is not addressed. The procedures in the existing Administrative Manual, Section 550, Chapter 1,\nare not sufficiently detailed or referenced for personnel to properly follow and implement the FTC\xe2\x80\x99s\nsecurity program. Not having documented procedures may lead to security policies not being\nimplemented consistently across the enterprise. Also, an incomplete agency-wide IT security program\nmakes it difficult to implement policy throughout the organization.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n      7. Expand Administrative Manual Section 550, Chapter 1 to accurately reflect roles and\n         responsibilities and policies and procedures.\n\n5.1.2    Not All Security Policies and Procedures are in Place or Implemented Consistently\n\nThe FTC made progress in the development and implementation of security policy. However, the OIG\nidentified instances where security policies were not implemented consistently across the agency. For\nexample, not all risk assessments are documented even though the FTC\xe2\x80\x99s certification and accreditation\npolicy requires it; password policy is not being consistently followed; not all required patches are being\n\n\n                                                                                                         -7-\n\x0cinstalled; self-assessments are not being performed annually; and system test plans and results are not\nbeing documented. This may be caused by not having operational procedures in place that instructs FTC\npersonnel on how to implement the policies. Two examples of vulnerabilities found where security\npolicy was not being followed are presented below.\n\n1. The FTC established and practices a Patch Management process, however, it is not documented. This\nprocess consists of the Computer Incident Response Team (CIRT) monitoring patches and threats and\ndetermining which patches and threats are critical to the FTC\xe2\x80\x99s Oracle, UNIX servers and the network.\nThe CIRT decides whether to do the fix immediately or wait until a service pack is released. If it decides\nto apply a patch before it comes out in a service pack, it is tested.\n\nSystem Management Server (SMS) is used by ITM to distribute patches and Vantive, a software tracking\nprogram, is used to centrally manage and track patches. The FTC is also signing up for a Sun program\nthat will run agents for packages.\n\nThe OIG noted that multiple IT components at the network, system, and application levels contained\nvulnerabilities for which vendor patches for Microsoft were not applied. This was discovered as a result\nof the internal vulnerability assessment scan performed by the OIG. ITM believes that its process may\naccount for some needed patches not being applied at the time of the scan (some patches not deemed\ncritical enough for immediate application) while other patches, including the recent Blaster/Lovesan virus\npatch, were applied, but had to be removed because they \xe2\x80\x9cadversely impacted the IT environment.\xe2\x80\x9d Both\nITM and the OIG agree that all hosts should be reviewed to ensure all the latest \xe2\x80\x9ccritical\xe2\x80\x9d Windows\npatches have been applied.\n\n2. The vulnerability assessment scan was able to guess several passwords on some servers. These\naccounts either had a blank password, a default password, or the password was the same as the login\nname. In seven cases, it was the Administrator account that did not have a password. The same finding\nwas identified in the prior year GISRA review, albeit on different servers. Blank passwords and\npasswords that are very similar to the login name are an easy way for attackers to gain access to the\nsystem. The passwords on these accounts were found to be weak and should be changed immediately to a\nvalue that meets the FTC password policy criteria.\n\nOne host was found with an account (the \xe2\x80\x9csa\xe2\x80\x9d account) with no password. This account, by default, has\nno password. If left unchanged, a remote attacker could use this account to execute arbitrary commands\non the operating system. The Spida worm actively exploits this vulnerability. All SQL Server accounts\nshould be assigned a password.\n\nThis finding points to the need to better track corrections (on POA&Ms) to ensure that recommendations\nmade on one machine or system are applied to all machines/systems to which they apply.\n\nRECOMMENDATIONS\n\nOIG recommends that ITM:\n\n    8. Document its patch management policy.\n    9. Change weak passwords to comply with FTC password policy.\n\n\n\n\n                                                                                                       -8-\n\x0c5.1.3   Policies for Cell Phone Use Need to be Refined\n\nCellular phone security is a relatively new area of security that is identified as a major security issue by\ngovernment and private sector IT experts. NIST Special Publication 800-30, Risk Management Guide for\nInformation Technology Systems, states that organizations should identify and evaluate risks and risk\nimpacts, and recommend risk-reducing measures.\n\nThe FTC has issued approximately 50 cell phones to FTC personnel in FY 2003 The OIG found that the\nFTC does not have a cellular phone policy outlining where cellular phones may be used within the FTC\nand what information may be discussed on unencrypted cellular lines. Without cellular phone policies,\nthere are no established guidelines or rules of behavior for FTC personnel to follow when using them. It\nis possible that sensitive data could be discussed or transmitted without encryption, or phones may be\nused or activated in areas where sensitive information could be overheard or retrieved.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n    10. Develop a targeted cell phone usage policy.\n\n5.1.4   Procedures For The Sanitizing, Handling, And Labeling Of Storage Media Are Not\n        Documented for CND\n\nNIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology\nSystems requires that agencies address areas such as:\n\n    \xe2\x80\xa2   Procedures for ensuring that only authorized users pick up, receive, or deliver input and output\n        information and media.\n    \xe2\x80\xa2   Audit trails for receipt of sensitive inputs/outputs.\n    \xe2\x80\xa2   Procedures for restricting access to output products.\n    \xe2\x80\xa2   Procedures and controls used for transporting or mailing media or printed output.\n    \xe2\x80\xa2   Internal/external labeling for appropriate sensitivity (e.g., Privacy Act, Proprietary).\n    \xe2\x80\xa2   External labeling with special handling instructions (e.g., log/inventory identifiers).\n    \xe2\x80\xa2   Controlled access, special storage instructions, release or destruction dates.\n\nAs of the close of fieldwork, the FTC did not have documented procedures in place for sanitizing,\nhandling, and labeling of storage media for CND. For example, in one case the FTC relies on a contractor\nfor the special handling and shipping of storage media. The contractor\xe2\x80\x99s procedure is practiced but not\ndocumented.\n\nCND will soon contain Privacy Act data that will require special handling of storage media. The FTC has\nnot established guidelines for the contractor to follow to ensure that this data is handled properly. By not\nhaving documented procedures on how storage media should be protected, shipped or labeled, it is\npossible that security procedures used to protect sensitive data may not meet FTC or federal requirements\nfor the protection of Privacy Act data.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n    11. Establish media sanitization, labeling, shipping and handling procedures to protect CND data.\n\n\n\n                                                                                                           -9-\n\x0c5.1.5     Administration of User Accounts Improves\n\nThe FTC continues to strengthen its Check-in Check-out and Move (CICOM) procedures to ensure that\naccounts are set up for new employees and terminated for employees who are separated or transferred are\nproperly handled. However, in interviewing program officials, the OIG learned that transfers within the\nFTC continue to be a problem as personnel files are not always matched with user accounts to ensure that\ntransferred individuals do not retain access to systems where access is no longer needed. It appears\nmanagers may not be aware of the need for them to notify the Information Technology Support Office\nwhenever personnel are transferred. This result in accounts remaining active and having unneeded\nprivileges when employees are transferred between FTC organizations\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n      12. Establish a procedure to ensure that intra agency transfers only have access to systems and/or\n          databases needed to perform their job responsibilities.\n\n5.1.6     Progress Made in Background Check Procedures\n\nAs a result of last year\xe2\x80\x99s GISRA assessment, the FTC made progress in reducing its backlog of required\nbackground investigations. The Administrative Services Office (ASO) had documented personnel\nsecurity procedures for full-time equivalents (FTEs) and contractors. These procedures describe the\npersonnel security process which an individual must complete prior to gaining access to FTC systems.\nThese procedures are internal to ASO and do not serve as an agency-wide policy. ITM is responsible for\nnotifying ASO as to who needs access to each system so the clearance level can be determined.\nContractors are not given access to certain systems until a background check has been completed. These\nprocedures do not define any criteria by which to determine the level of clearance needed. However,\nASO is working with the Office of Personnel Management (OPM) to define the appropriate clearance\nrequirements. Once these clearance requirements have been defined, all FTC personnel will be reviewed\nto ensure that each person possesses the appropriate clearance level.\n\nOf the approximately 1100 personnel at the FTC, 933 have background investigations. To date, there are\n48 FTC personnel with less than 15 years of service that have outstanding background checks. These\nbackground checks were submitted to OPM and are awaiting final adjudication. Personnel files for 119\nindividuals with more than 15 years of service are being reviewed to determine if a background check\nwas completed. At the time these individuals were hired, background investigations were not required.\nOPM does not retain any automated records for personnel with more than 15 years of service. ASO is\nworking with OPM to determine if these 119 individuals have appropriate background checks.\n\nDuring an interview with ASO personnel, it was noted that the average amount of time from the point of\nhire to the completion of the screening process is two weeks for fingerprints, up to six months for a\nbackground check, and up to one year for a top-secret clearance. Currently, there is not an investigation\nbacklog for clearances at a secret level or higher.\n\n5.2       Security Awareness and Training\n\nOMB A-130 requires that agencies provide security awareness training for all employees. The FTC\nrecently updated its security awareness and training course and has begun to instruct the FTC user\ncommunity through a series of security awareness briefings on an annual basis. Security awareness\ntraining for FY 2003 began in July 2003. As of September 1, 2003, 387 or 35% of FTC employees and\ncontractors received security awareness training. The security staff received security training in evidence\n\n\n                                                                                                           - 10 -\n\x0chandling, network security and Voice Over Internet Protocol (VOIP). Also, new FTC personnel receive\ntraining on safe computer practices during orientation. Conducting annual security awareness training\nhelps to improve the security awareness of FTC personnel, as demonstrated by the outcome of the OIG\xe2\x80\x99s\nsocial engineering test. (See 5.6.3)\n\n5.3       Security Incident Reporting\n\nOMB A-130 requires that agencies develop an incident response capability for their major applications\nand general support systems. The FTC Computer Incident Response Team (CIRT) handles information\nsecurity incidents. When an IT security incident occurs, employees are instructed to contact the Help\nDesk. The Physical Security Officer and IT Security Officer are notified. The CIRT then goes into action\nand tries to resolve the problem. FedCIRC is notified when the incident is new or drastically affects\nagency operations. If the event is of a criminal nature, the Office of General Counsel is contacted for\nadvice and to make a determination if law enforcement should be contacted. Law enforcement, to include\nthe OIG, is contacted if the Office of General Counsel determines such action is required. The CIO\nreported four incidents to FedCIRC this past year.\n\nIf a physical security incident occurs, the ASO security officer is notified. If the incident takes place\nwithin the FTC facility, Federal Protective Services (FPS) is contacted and responds to the incident. The\nWashington Metropolitan Police (MPD) is contacted and responds to incidents outside the facility. The\nASO Security Officer and his staff would initially respond to the incidents internal to the FTC.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n      13. Modify the Incident Response Policy to include notification to the OIG for internal security\n          incidents where criminal activity is suspected.\n\n5.4       Continuity of Operations\n\nThe FTC made progress in developing its continuity of operations program. It developed a DRP and\nconducted tabletop tests of the plan. Additionally, the FTC is working toward integrating its IT security\nwith its physical security program. The OIG identified two areas that can be strengthened\n\n1. NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems,\nstates that contingency plans should contain detailed records of system configurations in order to enhance\nsystem recovery capabilities. The contingency plan should identify vendors that supply essential\nhardware, software, and other components. The OIG learned that contingency plans for the FTC\xe2\x80\x99s major\napplications were incorporated into the DRP. However, the DRP has not undergone a functional test. A\nfunctional test will help identify weaknesses and oversights in the plan and help bring the tool to the level\nof detail it needs to be effective. Not having a detailed and tested disaster recovery plan may increase the\nrecovery time from a disaster, as well as, create additional confusion when the plan is activated. ITM\ninformed the OIG that it has no plans to perform a functional test of the DRP until it develops system\nredundancy to ensure systems remain operational during the test.\n\n2. NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems\nstates that \xe2\x80\x9c\xe2\x80\xa6memorandums of understanding (MOU), memorandums of agreement (MOA), or a Service\nLevel Agreement (SLA) for an alternate site should be developed specific to the organization\xe2\x80\x99s needs and\nthe partner organization\xe2\x80\x99s capabilities.\xe2\x80\x9d The OIG believes that FTC needs four MOU\xe2\x80\x99s and one SLA\ngiven its various IT partnerships.\n\n\n\n\n                                                                                                         - 11 -\n\x0cThe FTC has relationships with two contractors and three government agencies for various information\nprocessing arrangements. The OIG found that the FTC has one MOU and one SLA with two agencies.\nThe needed MOUs for the one remaining agency and two contractors are, according to ITM officials, in\nthe process of being finalized.\n\nRECOMMENDATIONS\n\nOIG recommends that ITM:\n\n      14. Conduct a functional test of the DRP and modify the plan as indicated by the results of the test.\n      15. Finalize appropriate agreements with the three government/contractor organizations.\n\n5.5       Configuration Management\n\nThe FTC maintains many good configuration practices. For instance, all IT management decisions must\ngo through the CIO. Change request forms are completed and a Change Management Board tracks,\napproves, and reviews system changes and projects. Additionally, hardware and software inventories are\nconducted semi-annually. There are also policies in place for managing patches and handling security\nincidents. Operations and Support also established \xe2\x80\x9csystem-hardening\xe2\x80\x9d checklists that must be completed\nfor each device before it can go into the production environment. However, the OIG identified areas of\nconfiguration management that could be strengthened.\n\n5.5.1     The FTC System Inventory Identification Process Needs to be Documented\n\nFISMA (section 305(c)) requires the head of each agency to develop and maintain an inventory of major\ninformation systems operated by or under the control of the agency. An inventory of each agency's major\ninformation systems has been required for many years by the Paperwork Reduction Act and, more\nrecently, by the 1996 Electronic Freedom of Information Act amendments. The FISMA amendments also\nprovide that the inventory be updated at least annually, made available to the Comptroller General when\nrequested, and used to support information resources management including monitoring, testing and\nevaluation of information security controls.\n\nIn the 2002 GISRA assessment, 11 FTC systems were identified. At the time of this assessment, the\nnumber of systems was reduced from eleven to eight. The FTC is currently redefining its systems using\nthe definitions of major applications and general support systems in accordance with OMB A-130 and SP\n800-26, resulting in still additional consolidation.\n\nThe Assessment Team identified seven major systems and one general support system. The major\nsystems are:\n\n      \xe2\x80\xa2   Consumer Information System (CIS)\n      \xe2\x80\xa2   Matter Management System (MMS)\n      \xe2\x80\xa2   Office of the Secretary Control and Reporting System (OSCAR)\n      \xe2\x80\xa2   Premerger Notification (Premerger) HRS and DOJ Clearance System\n      \xe2\x80\xa2   CND Registry (CND)\n      \xe2\x80\xa2   Financial Management Operations (FMO)\n      \xe2\x80\xa2   Documentum\n      \xe2\x80\xa2   Infrastructure (General Support Systems)\n\nIn the previous year, the FTC identified five general support systems and reduced the number of general\nsupport systems to three consisting of the FTC Network, e-mail, and Internet/Intranet. The FTC recently\n\n\n\n                                                                                                         - 12 -\n\x0ccombined the three general support systems into one general support system called Infrastructure in\naccordance with NIST 800-26 guidance on defining system boundaries and analyzing organizational\nboundaries.\n\nWhile consolidation and mandatory updates are part of the system evolutionary process, the FTC has not\ndocumented its process on how it determines what systems are major applications and general support\nsystems. For example, the OIG did not find any documentation assigning responsibility for maintaining\nthe system inventory, nor was there sufficient documentation to identify the interface between each\nsystem and all other systems and networks.\n\nRECOMMENDATIONS\n\nOIG recommends that ITM:\n\n    16. Maintain a single system inventory for the FTC major applications and general support systems\n        and review and update the inventory at least annually.\n    17. Modify the inventory to reflect interfaces between systems.\n    18. Document the process for identifying major applications and general support systems.\n\n5.5.2   Security Documentation is Distributed Throughout ITM\n\nThe ITM is in the process of updating and developing security documentation for its major applications\nand general support system. ITM has recently filled a vacant secretary position for the ITM office. One\nof the responsibilities of the position will be to maintain a centralized security document library. Under\nthe current distribution system, security documentation is often difficult to obtain. Although, there is no\nmandate requiring agencies to maintain a centralized library of its security documentation, a centralized\nlibrary would likely make it easier for the FTC to keep track of its security documentation and track when\nsecurity documents should be updated. As a security best practice among other Federal agencies, ITM\nshould consider developing a centralized library for security documentation.\n\n5.5.3   Configuration Management Documentation Needs Updating\n\nFISMA requires that each agency develop specific system configuration requirements that meet its own\nneeds and ensure compliance with them. This provision encompasses traditional system configuration\nmanagement, employing clearly defined system security settings, and maintaining up-to-date patches.\nSimply establishing such configuration requirements is not enough. Adequate ongoing monitoring and\nmaintenance must accompany effective configuration management.\n\nThe current configuration management documentation consists of network diagrams and some\nconfiguration management documents. The OIG reviewed the configuration management documentation\nand found it to be outdated and not sufficiently detailed enough for FTC personnel to use as an effective\nconfiguration management tool. This became apparent when the OIG used the existing documentation to\nset up and conduct a network vulnerability scan to detect system vulnerabilities. For example, IP\naddresses were not current, making it difficult to configure a targeted scan.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n    19. Update the configuration management documentation to accurately reflect the current network\n        configuration.\n\n\n\n\n                                                                                                       - 13 -\n\x0c5.5.4    Version Control Software Does not Exist on the Production Network\n\nFISMA does not require version control software but it is considered a security best practice. The FTC\ncurrently does not use version control software to track the software versions running on the servers,\nrouters, and switches on its network. The effect of not using version control software makes it more\ndifficult to track software versions running on routers, servers and workstations. This makes it difficult\nwhen trying to install patches and determine what devices require upgrades. As a security best practice\namong other federal agencies, ITM should consider installing version control software on the FTC\nproduction network.\n\n5.6      Annual Testing and Evaluation (T&E)\n\nNIST guidance for security self-assessments requires that T&E be performed annually. In addition to\nagency-sponsored tests, the OIG annually tests select systems and processes as part of its security review.\nAnnual testing conducted by the OIG in this year\xe2\x80\x99s review included phone messaging tests, a social\nengineering exercise, and internal and external vulnerability testing. Findings for each of these areas are\ndiscussed below.\n\n5.6.1    Self-Assessment\n\nFISMA and OMB Guidance requires all agency systems to be reviewed at least annually. In FY2003, the\nOIG found that ITM technically met the self-assessment requirement by preparing security plans for all of\nits systems in accordance with OMB A-130 and SP 800-30, Risk Management Guide for Information\nTechnology Systems. However, the format of the security plans make it difficult to determine the level of\nsystem security compliance as outlined in the NIST Self-Assessment Guide. For example, the OIG noted\nthat vulnerabilities were not detailed for any of the eight FTC systems.\n\nThe Federal Information Technology Security Assessment Framework published by NIST in November\n2002, identifies the importance of tests and examinations of key controls. \xe2\x80\x9cReviews of documentation,\nwalk-throughs [sic.] of agency facilities, and interviews with agency personnel, while providing useful\ninformation, are not sufficient to ensure that controls, especially computer-based controls, are operating\neffectively. Examples of tests that should be conducted are network scans to identify known\nvulnerabilities, analyses of router and switch settings and firewall rules, reviews of other system software\nsettings, and tests to see if unauthorized system access is possible (penetration testing). Tests performed\nshould consider the risks of authorized users exceeding authorization as well as unauthorized users.\xe2\x80\x9d\n\nBased on the NIST guidance, it is clear that testing and evaluating security controls is a critical\ncomponent of any IT security program. While OMB allows for flexibility in the comprehensiveness of\nthe tests based on other factors, to include the results of risk assessments and whether the systems were\ncertified and accredited, the OIG notes that, with the exception of one system, neither testing nor\nevaluation was performed in FY 2003 (except for the CND system). Hence, ITM may not have as\ncomplete a picture of its security posture as envisioned by OMB and NIST.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n      20. Perform and document NIST-defined self-assessments or some other FTC documented security\n          assessment methodology that meets or exceeds NIST SP 800-26 guidance requirements on an\n          annual basis.\n\n\n\n\n                                                                                                        - 14 -\n\x0c5.6.2   Phone Messaging Tests\n\nAs part of the 2003 FISMA evaluation the OIG evaluated the FTC\xe2\x80\x99s voice mail system to determine if\npersonnel were using strong passwords to protect their voicemail accounts. To conduct this test, 35\nnames were randomly selected from the FTC\xe2\x80\x99s 1,100 employees. For the actual test, the OIG dialed the\nvoice mail number and selected the individual\xe2\x80\x99s four-digit extension. Because the voice mail system only\nallows three unsuccessful login attempts, two series of three predetermined, commonly used passwords\nwere entered to determine if any of them would open the voice mailbox.\n\nBased upon this sampling, the OIG concluded that voice mailboxes are relatively secure against a limited\nattack. The FTC password policy provides specific guidance for developing good passwords. While\nthese guidelines do not apply to voice mail passwords, personnel should not use default passwords or any\nother easily guessed passwords on its voice mailboxes.\n\n5.6.3   Social Engineering Exercise\n\nAs part of the 2003 FISMA evaluation, the Assessment Team performed a social engineering test to\ndetermine how effectively FTC personnel are adhering to FTC security policy. FTC password policy\nstates that personnel are required to protect their passwords. The social engineering test addressed how\nwell FTC personnel protect their passwords when asked to provide the password to someone over the\ntelephone.\n\nThe OIG devised a script to determine if FTC employees could be persuaded to provide their password\nover the telephone. For this test, an individual claiming to be from the FTC Help Desk contacted 12 FTC\nemployees. The tester telephoned the individuals and told them he was checking to determine if their\nvirus protection software was functioning properly and needed to run keystroke-monitoring software to\ndo this. The employee was then asked for their password. Of the 12 individuals contacted, four or 33%\nof the individuals provided his/her password. The remaining eight individuals refused to provide their\npasswords, and three of these reported the incident to the Help Desk. Upon notification that personnel\ndisclosed passwords during the test, ITM issued an alert over the FTC e-mail notifying staff of a potential\nhacker and reminding them of their responsibility to protect their passwords.\n\nThe OIG noted that of the four individuals that gave up their passwords, three had not attended ITM\xe2\x80\x99s\nsecurity awareness training. On the other hand of the three staff who contacted the HelpDesk to alert it of\nthe attempts, two attended security training and attributed their response to the training content. This\nlatter point is important because staff is generally the first to recognize malicious activity and well trained\nstaff can alert ITM before significant damage is done.\n\n5.6.4   Internal and External Vulnerability Assessment\n\nThe OIG conducted a vulnerability assessment of the FTC network that included both an internal and an\nexternal assessment.\n\nThe internal vulnerability assessment was conducted by using the Security Administrator\xe2\x80\x99s Integrated\nNetwork Tool (SAINT\xe2\x84\xa2). SAINT\xe2\x84\xa2 analyzes the network signature of a given host, assesses the\nsignature for probable vulnerabilities, ranks the vulnerabilities in terms of severity, reports the\nvulnerabilities and suggests a remedial course of action. In addition, SAINT\xe2\x84\xa2 screens every live system\non a network for Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) services. For\neach service it finds running, it launches a set of probes designed to detect anything that could allow an\nattacker to gain unauthorized access, create a denial-of-service, or gain sensitive information about the\nnetwork. A full SAINT\xe2\x84\xa2 scan of components for FTC was performed on August 5, 2003, and August 8,\n2003. The data from all the scans was combined together for analysis.\n\n\n                                                                                                          - 15 -\n\x0cThe findings from the vulnerability analysis conducted during the 2002 GISRA review were compared\nagainst the findings from the 2003 vulnerability assessment. Appendix I, \xe2\x80\x9cVulnerability Summary\nMatrix,\xe2\x80\x9d from the FTC OIG Audit Report, \xe2\x80\x9cGISRA Technical Evaluation Report\xe2\x80\x9d (AR 02-053), listed\nthirty-one specific vulnerabilities found during the 2002 evaluation. These vulnerabilities were reviewed\nto determine if any were found again during the 2003 scan. Some of the types of tests performed in 2002\nwere not repeated in 2003, as the 2002 evaluation used a different methodology and was, in selected\ninstances, a more intrusive review.\n\nThe internal vulnerability assessment identified several vulnerabilities. Passwords were guessed on\nseveral hosts, and in some cases the passwords for the Administrator account were blank. There were\nmany hosts that needed Windows updates. Several web servers were also found with possible\nvulnerabilities. A number of hosts were found with several services that may be vulnerable. These\nservices may have vulnerabilities that would allow malicious users to run arbitrary commands as a\nprivileged user, typically root.\n\nThe internal vulnerability assessment also found that some of the same types of vulnerabilities identified\nin the 2002 evaluation were found again in 2003. Frequent examples involved default passwords\nprotecting servers and routers, and hosts with blank password for the Administrator account.\n\nThe external assessment was performed using a variety of tools, including SAINT\xe2\x84\xa2, nslookup, whois,\nnmap, host, and xprobe. In addition, several attempts were made to access specific ports and services\nidentified by the SAINT\xe2\x84\xa2 scan. The external assessment was conducted partially \xe2\x80\x9cblind\xe2\x80\x9d \xe2\x80\x93 i.e.,\ninformation from the previous internal assessment and other information previously learned about the\nFTC network was not used for most of the external assessment. This was done, in part, to more closely\nsimulate how an actual \xe2\x80\x9chacker\xe2\x80\x9d might approach the penetration attempt. The external assessment was\nconducted using several steps:\n\n    \xe2\x80\xa2   Identify FTC IP Space \xe2\x80\x93 The first step was to identify the IP space \xe2\x80\x9cowned\xe2\x80\x9d by FTC. A\n        combination of nslookup and the ARIN whois service were used to identify the target IP space.\n\n    \xe2\x80\xa2   SAINT\xe2\x84\xa2 Scan \xe2\x80\x93 The next step was to perform a SAINT\xe2\x84\xa2 scan on the identified IP space.\n\n    \xe2\x80\xa2   Nmap, host, and xprobe Scans \xe2\x80\x93 After the SAINT\xe2\x84\xa2 scan, additional probes were performed\n        using nmap, host, and xprobe.\n\n    \xe2\x80\xa2   Port and Service Tests \xe2\x80\x93 Information gathered by the different scans was used to try and connect\n        to various ports and use various services.\n\nThe external vulnerability assessment identified several vulnerabilities in the FTC web servers. Several\nFTC web servers may provide more information about their configuration than is necessary. In addition,\nthere may be too much information about FTC hosts in one system accessible to the public.\n\nInternal and external scan results were provided to ITM management under separate cover for additional\nanalysis and corrective action.\n\nRECOMMENDATION\n\nOIG recommends that ITM:\n\n    21. Develop a plan and schedule to correct the vulnerabilities identified by the internal and external\n        vulnerability assessments. The plan should be communicated on the POA&M.\n\n\n                                                                                                        - 16 -\n\x0c"